Legal requirements for an online store: LSSI and GDPR checklist

·

Setting up an online store in Spain has never been easier from a technical standpoint, but the legal side remains a wall that many merchants run into. The Law on Information Society Services (LSSI-CE), the General Data Protection Regulation (GDPR), the General Law for the Defence of Consumers and Users (TRLGDCU) and the Law on the Organisation of Retail Trade form a regulatory framework that applies to any company selling online in Spain, regardless of its size or whether it is a sole trader or a limited company. In this article we explain which documents you need, what information you must publish and what the consequences of non-compliance are, with data updated to 2026.

Which laws govern an online store in Spain?

Before detailing the requirements one by one, it is worth having a clear picture of the regulatory landscape. This is not a single law: there are at least four rules that overlap and affect different aspects of the digital business:

These rules are supplemented by the European Directives transposed by Spain: the Omnibus Directive (EU 2019/2161, in force since May 2022) strengthens digital consumer rights; the Digital Services Act (DSA, EU Regulation 2022/2065) imposes new transparency obligations on platforms.

Legal notice: the identity card of your online business

The legal notice is the first mandatory document required by Article 10 of the LSSI. It must be accessible at all times from any page of the website and must include at a minimum:

Failure to comply with Article 10 LSSI is classified as a minor infringement punishable by up to €30,000 under Article 38.1 of the same law. In practice, the Secretary of State for Digitalisation and Artificial Intelligence (SEDIA) — which has assumed competence in this area — has increased the number of proceedings initiated in recent years.

Privacy policy and GDPR: more than a copied text

Any online store collects personal data from the very first moment: when creating an account, processing an order, subscribing to a newsletter or simply installing Google Analytics. Article 13 of the GDPR requires informing the user before collecting their data about:

One aspect that many online stores overlook is the legal basis for processing. Not everything can be covered by consent; in most cases, the processing of data to perform a sales contract is based on Article 6.1.b of the GDPR (contractual performance), which means that explicit consent is not required for that data, but it is required for sending subsequent commercial communications.

For comprehensive data protection management in your store, our LSSI and e-commerce consultancy team prepares documentation tailored to your business model and guides you through implementation.

Cookie policy: the most frequently breached rule

The Guide on the use of cookies published by the AEPD in 2023 (revised in 2024) establishes that any website that installs or reads non-strictly necessary cookies must:

  1. Display a banner on the first visit that allows accepting, rejecting or configuring cookies before they are installed.
  2. Give the same prominence to the «reject» button as to the «accept» button.
  3. Not use dark patterns that make rejection difficult (hidden buttons, misleading colours, pre-selected options).
  4. Maintain a cookie policy accessible from the banner and from the footer with the complete list of cookies, their purpose and duration.
  5. Record consent and be able to demonstrate it to the AEPD if required.

The AEPD may sanction non-compliance in cookie matters as a GDPR infringement, with fines that can reach €10 million or 2% of global turnover (Article 83.4 of the GDPR), although in practice fines for SMEs range between €3,000 and €150,000 depending on the severity.

General terms and conditions of sale: the contract with your customer

The general contracting conditions are the document that governs the commercial relationship between your store and the customer. For distance contracts (which include online purchases), the TRLGDCU requires providing the consumer, before placing the order, with the following pre-contractual information:

If you do not inform customers of their right of withdrawal, the period is automatically extended to 12 months under Article 105 of the TRLGDCU. This detail, unknown to many merchants, represents a significant legal risk if a customer makes a claim after the 14-day period.

Comparative table: mandatory documents under the regulations

Document Reference regulation Mandatory for Maximum penalty for non-compliance
Legal notice LSSI art. 10 Any website with economic activity €30,000 (minor infringement)
Privacy policy GDPR art. 13 / LOPDGDD Any website processing personal data Up to €20M or 4% of global turnover
Cookie policy GDPR + AEPD Guide 2023 Any website using non-essential cookies Up to €10M or 2% of global turnover
General terms and conditions of sale TRLGDCU + Law 7/1998 Stores selling to end consumers Up to €100,000 (TRLGDCU art. 49)
Pre-contractual information TRLGDCU arts. 97-99 All B2C distance contracts Up to €100,000 + extended withdrawal period
ODR platform link EU Regulation 524/2013 Stores selling to EU consumers Variable administrative infringement by region

Specific requirements for the sale of certain products

In addition to the general framework, certain sectors have additional requirements that the online store must comply with:

Food and beverages

EU Regulation 1169/2011 on food information requires providing in the product listing the 14 allergens, nutritional information, ingredient list and country of origin for certain products. Alcoholic beverages with more than 1.2% vol. must indicate the alcohol content.

Electrical and electronic products

The product listing must include the energy label (EU Regulation 2017/1369 and its product-specific delegated regulations) and information about the WEEE waste management system (Royal Decree 110/2015). Since 2024, online distributors are required to inform consumers about the nearest collection point.

Cosmetics and medical devices

Governed by EU Regulation 1223/2009 (cosmetics) and EU Regulation 2017/745 (medical devices), they require specific information in the listing: INCI list, batch number, expiry date and, for medical devices, the CE number and the notified body.

Commercial communications and email marketing

Article 21 of the LSSI prohibits sending commercial communications by email without the prior consent of the recipient. This consent must be:

The exception in Article 21.2 LSSI allows sending commercial communications to existing customers about products or services similar to those already purchased, provided that you have given them the opportunity to opt out in each communication.

Tax obligations and invoicing

The online store must issue an invoice to any customer who requests one and to all business customers (B2B). For sales to end consumers (B2C), it is mandatory to issue at least a purchase receipt or simplified invoice. If the store sells to customers in other European Union countries and exceeds €10,000 per year in intra-Community distance sales, it must register under the One Stop Shop (OSS) scheme with the AEAT to settle VAT in the consumer's country.

If your invoicing system needs to adapt to Verifactu or the mandatory B2B electronic invoice derived from the Crea y Crece Law, Summum Consultoría coordinates the legal and technical analysis together with the systems team.

Web accessibility: a real obligation since 2025

Law 11/2023 of 8 May (BOE-A-2023-11022), which transposes the European Accessibility Act (EAA, Directive 2019/882), requires e-commerce services to meet Level AA accessibility requirements (WCAG 2.1) for new services provided to consumers from 28 June 2025. This obligation applies to any online store selling to consumers in the EU, regardless of its size. Royal Decree 1112/2018 (EU Directive 2016/2102) applies to the public sector; the private sector is covered by Law 11/2023 and the EAA. Non-compliance can result in fines of up to €600,000 in the most serious cases.

Quick checklist before launching your store

Here are ten minimum checks you should carry out before activating sales:

  1. Visible and complete legal notice (LSSI art. 10).
  2. Privacy policy updated to the GDPR with the legal basis for each processing activity.
  3. Cookie banner compliant with the AEPD Guide 2023 with an equally visible rejection option.
  4. General terms and conditions of sale with the 14-day right of withdrawal clearly stated.
  5. Prices shown VAT-inclusive with indication of shipping costs before completing the order.
  6. Withdrawal form available for download (required by TRLGDCU art. 102).
  7. Link to the European Commission ODR platform in the footer.
  8. Newsletter subscription form with explicit consent and no pre-ticked box.
  9. Record of processing activities (GDPR art. 30) documented internally.
  10. Data processing agreements with processors (payment gateway, logistics platform, email marketing tool).

Frequently asked questions

Does a small online store or sole trader have the same obligations as a large company?

Yes, in essence. The LSSI, the GDPR and the TRLGDCU apply regardless of business size. The only relevant difference is that the GDPR sets thresholds for some additional obligations (such as the Data Protection Officer or impact assessment), which most small online stores do not reach. But the legal notice, privacy policy, cookies and terms of sale are mandatory from day one, for any merchant.

What happens if I copy the legal texts from another store?

It is a common mistake with two consequences. First, the copied texts probably do not match your specific business model (your products, your shipping timelines, your payment providers). Second, if the other store had incorrect texts, you inherit their non-compliance too. In the event of an inspection or a customer complaint, generic or copied texts do not demonstrate that you have met your information obligations. There may also be a copyright infringement regarding the copied texts.

How often should legal texts be updated?

Whenever the circumstances they document change: new service providers processing data, changes in cookie policy when adding new analytics or advertising tools, changes in shipping or return conditions, regulatory changes. In practice, an annual review is a reasonable minimum; in an active digital environment, reviewing them every six months is advisable. The AEPD publishes guides and resolutions periodically that may affect the wording of the privacy and cookie policies.

Do I need a DPO (Data Protection Officer) for my online store?

For most small and medium-sized online stores, it is not mandatory to appoint a DPO. Article 37 of the GDPR requires it when data processing is carried out on a large scale, when special categories of data (health, ideology, religion…) are processed systematically, or when the main activity involves the systematic monitoring of individuals. However, if your store operates in sectors such as health, food for vulnerable groups or subscription products with intensive profiling, it is worth analysing whether the threshold is exceeded. You can find more information in our guide on external DPO.